To this point, HTTPS has been strongly encouraged yet not required, but all that is about to change. Starting in October 2017, Google will begin displaying "not secure" warning labels on all HTTP sites when sites are visited in incognito mode.